|
| Rather than give Top 10 predictions that look at threats from the point of view of the solution, we at Cyberoam decided to go into the Drivers behind the Threats of 2009 - with the clear intention of helping the CISO know for himself / herself what is a potential threat based on their own organization workings. |
| |
| It’s true that threats have turned commercial. But there’s more to it than just commercial threats this year. That brings us to the 3 Security Questions that Predict Threats. |
| |
 |
What are the happenings in my organization that I should watch out for? |
|
Which global events can have an impact on me and my organizational security? |
|
What are the infrastructure elements that make me more vulnerable? |
|
| |
| 3 Drivers behind the 2009 Threats |
| When answering these questions, the following drivers behind the 2009 threats came up - |
| |
|
| |
|
Downturn - It’s going to have a nasty effect |
|
Infrastructure – New stuff brings in new vulnerabilities |
|
|
|
| |
| But before we go to them, let’s look at the method behind the madness. Whether it is threats after commercial gain or ideological threats driven by religion or nationalistic feelings, Guerilla Warfare is the common theme. Reconnoiter, plan thoroughly, launch a short surprise attack, withdraw fast, change to a different IP, attack again with a newer form. |
| |
| Changing colours so fast, they put a chameleon to shame, attackers will continue to thrive in anonymity and the surprise element of the attack. So, while known threats will remain as long as they retain some effectiveness, look out for what you don’t expect. Now, that’s a Catch-22 situation. But not if you are looking out for where you are vulnerable – and vulnerabilities aren’t just about IT and security infrastructure. They are about the way the organization functions too. |
| |
| And the one effective solution in all this is to watch the user. |
| |
| The downturn has brought about an imbalance in people’s lives. People are least vulnerable when they are in a state of balance. Bring in some despondency or exhilaration – moments that take people out of the realm of the predictable - and their responses are different from the times when they can think logically. And in many countries these are despondent times, if not in reality for some people, certainly in the minds for many. The downturn threat predictions bring home the fact that this is a time when CISOs need to work closely with other departments as much for security in their domain as for the security of other domains in the organization. |
| |
|
Phishing - Be prepared for phishing attacks with false job promises, bogus offers of mortgage loans, low housing prices and cheap buy offers. Customers whose banks have changed hands are a point of vulnerability – half-ready for the new ownership to communicate – ready to give out their usernames and passwords to be revalidated. Also, it isn’t the large, well-known banks’ customers that are at risk. Smaller banks are the target too. So are healthcare and retirement plans. Organizations in these businesses need to be prepared for the vulnerability faced by their customers and give a hand in helping these customers protect themselves. |
|
Corporate Lay-offs & Insider Threats – There is no enemy more bitter than a disgruntled ex-employee. As companies lay-off increasing number of workers in a world where slowdown is the password, insider threats stare CISOs in the face. Issues of access controls and terminating access rights in massive lay-offs are a critical side of security that requires C level executives to coordinate the whole affair jointly with the CISO. |
|
On the Job Hunt – Those that are laid off are out on a desperate job search. So, threats to job portals will rise since candidates give personal contact information here not to mention bogus job offers to get identity information. And then there will be creative attackers like “the man who used a Craigslist ad to hire a dozen unsuspecting decoys to be in the area as he made his getaway. The ad was for a prevailing-wage job - $28.50 an hour - for a road maintenance project. Those who inquired were told to show up to work wearing a "yellow vest, safety goggles, a respirator mask ... and, if possible, a blue shirt." Turns out that's also what the robber wore. |
|
| |
| Mobile connectivity, new online applications and developments in IT infrastructure throw open new vulnerabilities that will be utilized by attackers before these are secured |
| |
|
Mobile & iPhone Malware - Personal devices from mobile handsets to Blackberries and iPhones will be subjected to increasing malware attacks, partly due to their massive popularity with customers and also due to vulnerable technology features such as personalized GPS. With mobile phones being increasingly used to access corporate data, attacks on the mobile front which have been comparatively lower will rise. The ubiquitous nature of mobile phones and their usage will lead to rising attacks on Wi-Fi access points and using them for data stealing or to perpetuate further attacks while remaining outside the institution’s premises. Lacking the sophisticated nature of corporate network security, Internet-enabled phones will lead to rising malware downloads, placing data and network security at risk. |
|
Web 2.0 Vulnerabilities will Multiply – Although Web 2.0 has been around for a few years now, corporations are still grappling with the means and extent of control over communication and collaboration through them via social networking, blogs, wikis, forums and more. This will lead to higher levels of security vulnerabilities as these applications are functionally interactive. |
|
Cloud Computing & SaaS- As corporations and individuals increasingly move to cloud computing, relying on web servers to store not just email but crucial applications and data, vulnerabilities in this new direction will lead to higher threat levels. Similarly, software as a service – SaaS – which depends on hosted applications on the Internet too will lead to higher number of threats. |
|
| |
| Growing ideology in the name of religion has blurred the lines between religion and a nation. Resorting until now to guerilla warfare in the physical world with relatively lower levels of use of Internet technology, these attackers will turn increasingly tech savvy. The commercialization of threats with hacking tools for sale on the net ensures that these religious ideologues needn’t look far for the means to conduct not just one but a series of attacks from their remote and distant locations. |
| |
| The ease with which attacks can happen is seen by the fact that all it took to choke the sites of Estonia and Georgia was to download a malicious HTTP Flood Denial of Service (DoS) Testing Tool called DoSHTTP, available on the Internet using a simple Google search. Many such malicious programs are being developed by organized crime syndicates. |
| |
| Targets aren’t always government institutions and websites since these attackers are looking for anything that can cause massive economic loss, casualties or instability – in short anything that leads to large-scale bleeding. Corporate targets can lead to it as much as government targets do. Leading the list and there’s nothing new about the list are utilities, power, waterworks institutions, large corporations that are symbols of prestige – in fact any institution which strikes the attacker’s mind as a target enough to get publicity if nothing else. And then there can always be peripheral damage. |
| |
| Serious Business of the Lighter Side |
| The emergence of online gaming applications, social networking communities such as Facebook and Myspace and Online Hobby Clubs such as Second Life has created an entire subculture which attaches a lot of importance to these virtual mediums, so much so that their entire lives revolve around them. Hackers can use their soft spots for gaming records and hobby credentials to gain illegal access to their accounts and later, use blackmail, threats and coercion for financial gain. |
| |
| What’s the Solution? |
| While knowing the user and integrating user identity comprehensively with the organizational security solution is the key to well-planned guerilla attacks, using security solutions that detect the patterns of threats is the support system that can contain threats in 2009. |
